Security issue with glob

[tinohager]

Hello,
npm audit reports a vulnerability related to the glob package.
Would it be possible to update this dependency in your project?

glob CLI: Command injection via -c/--cmd executes matches with shell:true

[MrYerome]

I have the same issue.
@tinohager : What do you use as dependency visualizer to generate the graphic above ?

[tinohager]

@MrYerome https://npmgraph.js.org/?q=glob

[Xenope]

Would love to have an update yes, but is this repo ever maintained anymore?

Not seeing any updates this past year.

[Xenope]

Hum, it looks like it's ok? Version 10.5.0 of glob that contains the fix is being installed now.

It's weird because my trivy scan still shoes me a vulnerability with version 10.4.5.

[tinohager]

An update has also been made here.

[davidd396]

Same here. I'm afraid that this repo is not maintained anymore...
There are multiple pending security patches.

[dereekb]

I ran into the same thing with Snyk. It seems like just adding the patched glob as a dev dependency should be fine and quiets the Snyk error/warning. The security issue seems to be only related to using the glob CLI functionality.

That said it would be nice to have the dependencies for this project updated.

[erikpragt-connectid]

Hi all, I ran into the same issue, and I fixed it by using a dependency override in the package.json:

  "overrides": {
    "glob": "10.5.0"
  },

[Xenope]

There is an issue with minimatch in the dependencie tree now, i wonder if this repo is maintained anymore and will bump the dependencies versions?

Any suggestion for a replacement library?

[catamphetamine]

Hi,

In case anyone's interested, I made a fork of archiver today to fix the npm security issue.

The forked code is for an unreleased (for some reason) version of archiver@8.0.0.
It has a breaking change though: the minimum supported Node.js version now is 18.

And the default export is now replaced with a named export called ZipArchive with the first argument "zip" now being omitted.

The forked package also contains other fixes such as added TypeScript definitions, removing outdated/deprecated dependencies, etc.

The forked package is available on npm as archiver-node:
https://www.npmjs.com/package/archiver-node

npm install archiver-node --save

import { ZipArchive } from 'archiver-node'

const archive = new ZipArchive({ ... options ... })

[gameroman]

If anyone is interested there is also https://github.com/node-archiver/archiver

[Xenope]

Will take a look in the future, thanks for the heads up!